release: v0.6.1 #256
Open
release: v0.6.1 #256
+10,147
−3,935
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
this avoids a race condition that would happen if the goroutine tried to read a file descriptor that wasn't open properly and would lose frame delivery
we also have added the necessary logic to auto prune ephemeral nodes because headscale doesn't seem to automatically remove them. this change made use of a database which is now stored in the persistent headplane directory.
tale
added
help wanted
|
And in typical fashion the build is broken. Will address this shortly. |
|
Ufff.. Headplane docker is down.. I can't see nothing in log causing this behavior: After a while, I could see following error: I understood that db was created by default if it didn't exist |
|
I've just tested out the latest. After the headplane page loads (with OIDC login), and I see the onboarding page (no devices shown), I click "I know what I'm doing" and then some sort of redirect loop seems to happen: 
|
Can you try manually clearing a bunch of cookies and caches on your Headscale domain and probably also on Authelia for good measure? I've tried everything and I cannot reproduce your issue. |
|
I've just run this in a private window (so there should be no cookies at all). I get redirected to login, but then (without seeing the onboarding page this time) I hit a redirect loop again 😕. This is my config: headscale:
config_path: /nix/store/r3cljz68gagl3ss0lij4nq113qvn4kf8-headscale.yaml
config_strict: true
url: http://localhost:8174
integration:
agent:
enabled: false
pre_authkey_path: /run/agenix/headplane-preauth
proc:
enabled: true
oidc:
client_id: headscale
client_secret_path: /run/agenix/headscale-oidc
disable_api_key_login: true
headscale_api_key: --set in env file--
issuer: https://auth.tecosaur.net
redirect_uri: https://headscale.tecosaur.net/admin/oidc/callback
token_endpoint_auth_method: client_secret_basic
server:
cookie_secret: '--------set in env file---------'
cookie_secure: true
host: 0.0.0.0
port: 8175I'll be AFK for the next ~18h, but happy to help debug after then |
|
@tecosaur This is likely something with OIDC setup between Authelia and Headplane. |
|
I think it also sounds like the cookie isn't setting correctly. You can validate by checking for the hp_session or hp_auth cookies in the application storage in DevTools. |
|
@igor-ramazanov if that's the case, it could be helpful if we compared our Headplane/headscale and Authelia configs. My headscale config is unchanged from my last message, and with Authelia I have: - access_token_signed_response_alg: none
authorization_policy: headscale
client_id: headscale
client_name: Headscale
client_secret: $argon2id$v=19$m=65536,t=3,p=4$...
consent_mode: implicit
public: false
redirect_uris:
- https://headscale.tecosaur.net/oidc/callback
- https://headscale.tecosaur.net/admin/oidc/callback
scopes:
- openid
- email
- profile
- groups
token_endpoint_auth_method: client_secret_basic
userinfo_signed_response_alg: none@tale: I cannot find any indication of those cookies being set if I inspect the site storage. If it's of any use, in the logs I just see: |
|
If the cookies are not being set it is 100% an issue with your reverse proxy or hosting setup. When cookie_secure is set to true you need to be running in HTTPS. The cookie also will only match the |
|
@tecosaur Here's my authelia config: access_control:
default_policy: two_factor
authentication_backend:
file:
path: /etc/authelia/users.yaml
search:
email: true
default_2fa_method: ''
identity_providers:
oidc:
jwks:
- key: '{{ secret "/run/secrets/authelia/privateKey" | mindent 10 "|" | msquote }}'
authorization_policies:
headplane:
default_policy: deny
rules:
- policy: two_factor
subject:
- group:admin
clients:
- authorization_policy: headplane
client_id: headplane
client_name: Headplane
client_secret: replaceme
consent_mode: implicit
redirect_uris:
- https://headscale.example.org/admin/oidc/callback
- client_id: headscale
client_name: Headscale
client_secret: replaceme
consent_mode: implicit
redirect_uris:
- https://headscale.example.org/oidc/callback
log:
file_path: null
format: text
keep_stdout: false
level: info
notifier:
smtp:
address: smtp://smtp.example.org:587
password: '{{fileContent "/run/secrets/authelia/smtp"}}'
sender: Authelia <[email protected]>
startup_check_address: [email protected]
username: [email protected]
server:
address: tcp4://localhost:9091
session:
cookies:
- authelia_url: https://login.example.org
domain: login.example.org
storage:
local:
path: /var/lib/authelia-main/db.sqlite3
telemetry:
metrics:
address: tcp://localhost:9959
enabled: false
theme: light
|
|
@tecosaur Headscale's oidc:
allowed_domains: []
allowed_users: []
client_id: headscale
client_secret_path: /run/secrets/headscale/oidcClientSecret
extra_params: {}
issuer: https://login.example.org
only_start_if_oidc_is_available: true
scope:
- openid
- profile
- email |
|
@tecosaur Headplane: headscale:
config_path: /nix/store/fi7mbrb9glgmy20vrzn8h3k3fd53fs7r-headscale.yml
config_strict: true
url: https://headscale.example.org
integration:
agent:
cache_path: /var/lib/headplane/agent_cache.json
cache_ttl: 180000
enabled: true
executable_path: /nix/store/x6sy166dzp971419ghv7882ivq21m57k-hp_agent-0.6.1/bin/hp_agent
host_name: headplane-agent
pre_authkey_path: /run/secrets/tailscale/authKey
work_dir: /var/lib/headplane/agent
proc:
enabled: true
oidc:
client_id: headplane
client_secret_path: /run/secrets/headplane/oidcClientSecret
disable_api_key_login: true
headscale_api_key_path: /run/secrets/headscale/accessToken
issuer: https://login.example.org
redirect_uri: https://headscale.example.org/admin/oidc/callback
token_endpoint_auth_method: client_secret_basic
user_storage_file: /var/lib/headplane/users.json
server:
cookie_secret_path: /run/secrets/headplane/cookieSecret
cookie_secure: true
data_path: /var/lib/headplane
host: 127.0.0.1
port: 3000 |
|
@tecosaur Looks like you need to split up the Authelia client into two separate Authelia clients: redirect_uris:
- https://headscale.tecosaur.net/oidc/callback
- https://headscale.tecosaur.net/admin/oidc/callback
|
|
Ah interesting, so you've ended up with different headscale and headplane OIDC auth. Is there a particular reason why you've split them? |
|
@tecosaur Not sure if what's the correct way of doing it, but I assumed that's how it should be done in the first place and that it won't work otherwise. I haven't tried reusing the same client for both. |
So, the issue was in Nginx, it didn't serve the Added a valid Nginx' Devtools logs from web ssh connection page: |
|
@tale I'm on 0.6.1 and when I removed all the nameservers while override dns servers toggle was still on, headplane stopped responding (probably more than just headplane) until I manually set it to false via file editing. |
Merged
|
@igor-ramazanov #319 should fix your issue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the start of the next release cycle (version 0.6.1), which aims to do a few things. These changes are to address lingering issues, implement SSH agent capability through the web browser, and focus on data migration to SQLite.
integration.agentsection to be set up in the config file./var/lib/headplane/hp_persist.db.chown -R 65532:65532 .on the volume mount.ghcr.io/tale/headplane:<version>-shell./procintegration (via Proc mode: try to guess PID based on Parent PID when multiple found #219).server.cookie_secret_pathcan overrideserver.cookie_secretoidc.profile_picture_sourcetogravatar(closes Support gravatar profile #232).oidc.authorization_endpoint,oidc.token_endpoint, andoidc.userinfo_endpointcan be overridden to support non-standard providers or scenarios without discovery (closes Support GitHub OIDC #117).oidc.scopecan be set to specify custom scopes (defaults toopenid email profile).oidc.extra_paramscan be set to pass arbitrary query parameters to the authorization endpoint (closes Support specifying OIDC query parameters via the config #197).This PR is now complete and I will be merging this in very soon. As a final note, it addresses outdated dependency vulnerabilities, tons of robust changes, support for SSH via the web, and a switch to SQLite for the backing datastore that we use.
My last few steps include: